In recent months the question ‘what is spyware’ is being asked, interpreted, defined, redefined, discussed in news groups and web boards, written about by small, medium and large news organizations all around the world and is becoming the topic of the day. One thing has become clear from all of it. There is no clearcut definition for spyware and it is unlikely there ever will be. Like the commercial anti-virus industry, who can’t seem to get together on defining virus risk levels, privacy advocates can’t seem to get together on what constitutes spyware. Not surprisingly over time this has resulted in the use of crossover terms such as adware, scumware, trashware, and several other offensive terms.

It is clear most folks will agree in concept that adware and spyware are 2 different things. However, when asked, most folks on the privacy side of the debate often define them similarly and most recently define them using such terms as trashware and scumware as if this makes the answer more clear. In my opinion this has more to do with the unknown than it does whether an application is violating privacy. Most recently I have seen companies thrown into the spyware fire simply because they have an application component that “appears” to call home to the developer. In many cases the “call home” is never verified but yet the component remains labeled spyware or trashware because it is easier to do than to fully and rationally benchmark test, research and report results. Even in the few cases where real serious testing is conducted the results are still questioned by privacy advocates and the negative label remains.

NewNet and alkamaitechnolgies are 2 excellent examples. NewNet was the first company I noted that actually sought to clear it’s name by approaching Lavasoft and questioning it’s status as a target of AdAware. After weeks of personal attacks back and forth one person decided to fully test NewNet and determined they were doing as claimed and no datamining/spying was occurring. I myself backed that up with additional tests. As a result Lavasoft removed NewNet from it’s target list and to date has not added them back. However, those findings were stomped on by many, many folks and to date Newnet remains labeled as spyware by many. In fact, the resulting personal backlashing caused the original tester to remove himself from the spyware debate altogther and has basically disappeared into the abyss of the internet. The loss of this man’s knowledge and skills have hurt this whole issue more than most will ever know. NewNet remains “labeled” and that will likely remain for a very long time. AlkamaiTechnologies is another issue altogether. They are labeled spies and have been for at least a year although I have not personally seen any tangible proof presented they are doing any kind of datamining or spying whatsoever. I personally have researched them extensively and have not found anything to indicate they do any spying. One of their biggest functions is to provide content servers on an outsourced basis. And they do so for nearly every large Internet based organization in existense today. But yet they are still “labeled” spies.

On the other side of this debate we have the developers of components and applications being labeled as spyware, adware, scumware, etc. They are no better in their claims either. Most of them hide behind statements that consumers are made aware of what actions are conducted in their EULA’s (End User Licensing Agreements) and Privacy Statements. For the most part this holds no water either. Most of these agreements and statements are veiled in very long, uncomprehendable language that developers (and their legal departments) know folks are not going to read. Or if they do read them they surely will not understand them. In some cases this is made even more suspicious when these agreements are buried in the install or download process. They know most folks are not going to spend the time reading them during the install process. Folks are just trying to get the application installed quickly because it has been marketed to them as something they cannot do without. So even if the company is providing a basically harmless component they are choosing to present it in a way that is known to cause suspicion and mistrust. Then they scream they are doing nothing wrong and they are the victims.

The situation is only getting worse. On the one side we have the advocates of privacy screaming for clear notice and easy to understand user agreements. On the other companies screaming that without advertising they will all go out of business. But no coming together to define what is acceptable behavior and what is not. No coming together to define terminology. In fact, on each side of this debate there is disagreement within as to what defines spyware or adware or what is clear notice and what is not. Matters get made worse by some folks comments like a certain well known security proponent with a huge newletter readership labeling folks on the privacy side of the debate as fanatical, standing up for advertisers rights as if they were the victim and then ignoring the whole issue of notice. I won’t even touch on the security issues inherent in this position. That is for another time. But this is a seeming flip from previous stands taken by him in the past. Pressure from advertisers maybe? We also have the maker of a spyware detection and removal tool adding and then removing an application from it’s target list in a 48 hour period. Interestingly this target application is paid for by consumers rather than freeware or shareware. Pressure from advertisers and/or threats from the developer? Maybe. Certainly a part of the equation. Then we add into the mix a new threat on the horizon. Now we have company that has developed an application that will use consumers computers as servers to deliver advertising to other consumers. So now the big media organizations have decided to jump on the bandwagon too. This event has served no other purpose except to polarize the 2 sides even more.

So what is next? How is this situation resolved? Because it does have to be resolved or it will only get worse. Here are my suggestions. To begin with labeling needs to be defined. But as I said in the beginning of this article I don’t believe folks are going to reach agreement on this. So how can it be done? There is only one way in my opinion.

Companies that build and distribute these advertising and datamining components and applications need to stop with veiled EULA’s and Privacy Statements. It’s time these agreements be made in plain terms and placed where they can be easily found and read. They should also be provided in many locations including on web pages, during the install and from within the application itself. These statements must be easy to find! In addition, users must be notified in writing of any changes made prior to the changes taking affect. Now it is clear that any application that is datamining is going to try and stay away from notice. It’s a tradition since the pony express days. But this will only make it easy for the companies that are doing nothing but serving ads to become more acceptable. I don’t believe most folks are opposed to advertising. They are opposed to lack of notice and suspicious activities with no explanation. Companies also need to get better at building these components so they don’t destabilize computer systems like so many do today.

Companies that provide tools to target and remove application components need to clearly explain their definition of a target and from their perspective only. At a minimum this information should include what the violations are (datamining, adserving, etc), if any personal testing the results, any references used, and addresses to the targets homepage, user agreements and privacy statements. They should also include the ability to exclude individual components or applications from targeting. This way users of these tools can make their own decisions as to whether they should be blocked or removed or remain. Most importantly they should keep their users informed of all changes to target lists with explanations for any changes. They do not need to justify themselves, just notify. The more popular applications today are not doing this and in my opinion that needs to change. A couple newcomers are doing things this way and will play a major role in educating consumers properly so they can make informed decisions.

The days of blind trust are gone and developers need to be forthcoming with information as well as good devving. This goes for both sides of the spectrum. If advertisers want our trust back then they need to prove it by being forthcoming about everything they do and building safer, more stable applications. If targeting applications want our trust they must be forthcoming about what they do, how they do it and why. None of this disclosure on either side needs to necessarily be open source either. Certain trade secrets may be necessary in some cases. Especially when dealing with proprietory rights, copyrights and ownership issues. But that is uneccessary if the other things mentioned above are provided.

Now I know there are some that are going to disagree with my assessment. I’ve already heard some of the arguements. I’m taking a too simplistic approach. I don’t understand the problem. I’m against privacy. I’ve heard it all. I am without question a very passionate individual when it comes to privacy. I believe humans all have an inherent right to it. But at the same time I don’t believe it is blanket privacy.

And the answers don’t need to be complicated. This is a simple problem with a simple answer. It is simple notification from all sides. Trust is earned not taken.

I have no inherent distrust of advertisers. But I am disturbed by those advertisers that use things like cookies for tracking across domains whether it is “aggregate” information gathered or not. Or use components that send user information back to the company. Tracking is tracking no matter how it is done and no one likes to find out after the fact. On the other side blindly telling consumers such and such a company is bad and must be removed is no better. I, the consumer, want explanations. Why are they a target? I want honest information so I can make an informed decision. I do understand the problem. That is certain. It is simple. Respect privacy. Give information freely. And allow a little time for it all to work.

These opinions expressed are my own and simply my assessment of the situation as I see it. They are in no way meant to harm anyone. Just the opposite. They are meant to provide a perpective from one consumer who believes in his heart there are many others that feel the same way.